[Oisf-devel] {5} Suricata v0.8.0 and distance with only one previous content...

rmkml rmkml at free.fr
Sat Jan 2 19:17:33 UTC 2010


yes you are right, signature with offset work for my case (and bypass suricata pb).
{all parsers like snort/firestorm/sensorynetworks/bro/ex-preludeids are interesting)
Thx you
Rmkml


On Sat, 2 Jan 2010, Will Metcalf wrote:

> I will double check the behavior or snort, but in this case why
> wouldn't you use a combination of depth/offset if dealing with payload
> as a whole where you would use distance/within to deal with a previous
> content match?
>
> Regards,
>
> Will
>
> On Sat, Jan 2, 2010 at 11:10 AM, rmkml <rmkml at free.fr> wrote:
>> Hi,
>> After small testing, I have a new small question with this signature:
>>  alert tcp any any -> any 80 (msg:"test"; content:"test"; nocase; distance:200; sid:1; rev:1;)
>>
>> If I start suricata:
>>  ./suricata080beta -c suricata.yaml -r test.pcap --init-errors-fatal
>> ...
>> [15389] 2/1/2010 -- 21:48:31 - (detect.c:327) <Info> (SigLoadSignatures) -- Loading rule file: test.rules
>> [15389] 2/1/2010 -- 21:48:31 - (detect-distance.c:48) <Error> (DetectDistanceSetup) -- [ERRCODE: SC_ERR_DISTANCE_MISSING_CONTENT(69)] - distance needs two preceeding content options
>>
>> On snort, this signature work, Im search 'test' string after beginning distance 200...
>> Regards
>> Rmkml
>> Crusoe-Researches.com
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>
>


More information about the Oisf-devel mailing list